AEPD (Spain) - EXP202105344: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 71: Line 71:


=== Holding ===
=== Holding ===
The Spanish DPA held that the processing of personal data without consent, nor any other legitimate reason, constitutes an infraction under [[Article 6 (1) GDPR|Article 6(1) GDPR]] which establishes the cases in which the processing of personal data may be considered lawful.
The Spanish DPA held that the processing of personal data without consent, nor any other legitimate reason, constitutes an infraction under [[Article 6 GDPR#1 |Article 6(1) GDPR]] which establishes the cases in which the processing of personal data may be considered lawful.


The fine amounted to €10,000 after considering the defamatory purposes and the level of damage suffered by the data subject.  
The fine amounted to €10,000 after considering the defamatory purposes and the level of damage suffered by the data subject.  

Revision as of 06:49, 12 September 2022

AEPD - PS-00134-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 23.10.2021
Decided: 31.08.2022
Published:
Fine: 10,000 EUR
Parties: n/a
National Case Number/Name: PS-00134-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Jurado Taboada

The Spanish DPA fined a private subject €10,000 for violating Article 6(1) GDPR by unlawfully publishing in their blog personal data of the data subject for defamatory purposes.


English Summary

Facts

A person publishes in their blog personal data about the data subject, who is a minor, with defamatory purposes. There are several posts with the data subject’s name, personal photos, and videos where neither was informed about being recorded nor gave their consent about the processing of their data.

The data subject requested to voluntarily withdraw the publications without success. A second try by the first instance jury was rejected and returned. Also, any allegations were made by the controller.


Holding

The Spanish DPA held that the processing of personal data without consent, nor any other legitimate reason, constitutes an infraction under Article 6(1) GDPR which establishes the cases in which the processing of personal data may be considered lawful.

The fine amounted to €10,000 after considering the defamatory purposes and the level of damage suffered by the data subject.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/7










     File No.: EXP202105344



               RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated October 23, 2021
filed a claim with the Spanish Data Protection Agency. The

claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part
claimed). The grounds on which the claim is based are as follows:

The claimed party has been publishing a blog for some time under the pseudonym
***PSEUDONYM.1, which is titled “***BLOG.1” (***URL.1 in which he makes assertions
such as that the complaining party is (...). There are many publications

in which it is tacitly and even expressly mentioned by name to the
complainant, also publishing images of himself.

Below, the complainant highlights those that he considers most relevant:


    - The one published on May 24, 2021, updated on October 5:
    ***URL.2
    In it, he publishes a video, without the consent of the claimant, that was made in the
    year 2011 or 2012, being a minor (there was not yet (...)) and, in addition, it was
    without him knowing he was being recorded. As you can see, to that video

    He titles it “***VIDEO.1”, and then says “(…)”.

    - ***URL.3
    - ***URL.4
    - ***URL.5
    - ***URL.6

    - ***URL.7
    - ***URL.8
    - ***URL.9
    - ***URL.10



Likewise, it affirms that it has asked the respondent party to voluntarily withdraw the
unsuccessful postings.

Along with the notification, a copy of the order issued by the Court of First

Instance and Instruction No. 1 of ***LOCATION.1 in the preliminary proceedings
***PROCEEDINGS.1 in which it is agreed to order and require the claimed party to
that, while said procedure is in progress, refrain from making new


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7








publications related to the accused, as well as to remove from his blog the
existing publications.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was not collected by the person in charge; but it turned out
returned by "unknown".


No response has been received to this transfer letter.

THIRD: On January 23, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.


FOURTH: On April 4, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
for the alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the
GDPR.


FIFTH: Notification of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) and after the term granted
for the formulation of allegations, it has been verified that no allegation has been received
any by the claimed party.


Article 64.2.f) of the LPACAP - provision of which the respondent was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period on the content of the initiation agreement, when
it contains a precise statement about the imputed responsibility,
may be considered a resolution proposal. In the present case, the agreement

beginning of the sanctioning file determined the facts in which the
imputation, the infraction of the RGPD attributed to the claimed and the sanction that could
prevail. Therefore, taking into consideration that the respondent has not
formulated allegations to the agreement to initiate the file and in attention to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is

considered in this case proposed resolution.

In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:



                                PROVEN FACTS



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7








FIRST AND ONLY: The respondent has been making publications in the
that uses personal data of the complaining party for defamatory purposes and without
no cause that legitimizes its treatment.


                           FOUNDATIONS OF LAW

                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and according to the provisions of articles 47 and 48.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”


                                            II

The physical image of a person, in accordance with article 4.1 of the RGPD, is a personal data.
nal and its protection, therefore, is the subject of said regulation. In article 4.2 of the
GDPR defines the concept of "treatment" of personal data.


It is, therefore, pertinent to analyze whether the processing of personal data carried out
through the reported publications is in accordance with the provisions of the RGPD.

In the first place and referring to the publications indicated in the background by

of the claimed, article 6.1 of the RGPD, establishes the assumptions that allow
consider the processing of personal data lawful:

"1. The treatment will only be lawful if it meets at least one of the following
conditions:
a) the interested party gave their consent for the processing of their personal data

for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;

d) the treatment is necessary to protect the vital interests of the interested party or another
Physical person.
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued

by the person in charge of the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the
interested is a child.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7








The provisions of letter f) of the first paragraph shall not apply to the processing
carried out by public authorities in the exercise of their functions.


On this issue of the legality of the treatment, Recital 40 also affects
of the aforementioned RGPD, when it states that “In order for the treatment to be lawful, the
personal data must be processed with the consent of the interested party or
any other legitimate basis established in accordance with Law, either in the present
Regulation or by virtue of another Law of the Union or of the Member States to which
referred to in this Regulation, including the need to comply with the legal obligation

applicable to the data controller or the need to perform a contract with
which the interested party is a party or in order to take measures at the request of the
concerned prior to the conclusion of a contract.

In relation to the above, it is considered that there is evidence that the treatment

of data of the people who appear in the publications object of this
claim has been made without legitimizing cause of those included in article 6
of the GDPR.

The GDPR applies to personal data. Said regulation defines as «data
personal” means any information about an identified or identifiable natural person (“the

interested"); An identifiable natural person shall be deemed to be any person whose identity
can be determined, directly or indirectly, in particular by means of an identifier,
such as a name, an identification number, location data, a
online identifier or one or more elements of physical identity,
physiological, genetic, psychic, economic, cultural or social of said person.


                                            III

In accordance with the available evidence, it is considered that the party
claimed has committed an infringement of the regulations applicable to the protection of

personal data by publishing various entries on your blog in which data is collected
of the claimed (image, name and surnames) without their
consent, or any other legitimizing cause of data processing
personal.

The known facts constitute an infraction, attributable to the claimed party, for

violation of article 6.1 of the RGPD.

Said infringement is typified in article 83.5 of the RGPD, which provides the following:

"Infractions of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:
a) the basic principles for the treatment, including the conditions for the

consent under articles 5, 6, 7 and 9.”

For the purposes of the limitation period of the infraction, the infraction indicated in paragraph
above is considered very serious and prescribes after three years, in accordance with article 72.1

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7








of the LOPDGDD, which establishes that:

"Based on the provisions of article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:

b) The processing of personal data without the concurrence of any of the license conditions
treatment established in article 6 of Regulation (EU) 2016/679.»


                                            IV

In order to determine the amount of the administrative fine to be imposed, the
the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:


“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 9 and 6 are in each individual case effective,
proportionate and dissuasive.”


“Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the

nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to

alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the

infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;

i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or mechanisms of
certification approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7








Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:


"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of treatment of
personal information.
c) The profits obtained as a result of committing the offence.

d) The possibility that the conduct of the affected party could have induced the commission
of the offence.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.

g) Have, when not mandatory, a data protection delegate.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between them and any interested party.”

In the present case, it is considered appropriate to graduate the sanction to be imposed from

in accordance with the following criteria established in article 83.2 of the RGPD:

 a) The nature and seriousness of the infraction, taking into account the purpose of the
    treatment operation in question, as well as the level of damage and
    damages they have suffered, when trying to identify the defendant with behaviors

    reprehensible or even illegal;
 b) the intentionality in the infraction, which expressly intends to discredit the
    reclaimed;

Considering the exposed factors, the fine for the imputed infraction is 10,000

€ (TEN THOUSAND EUROS).

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for an infraction of article 6.1
of the RGPD, typified in article 83.5 of the RGPD, a fine of €10,000 (TEN THOUSAND
EUROS).

SECOND: NOTIFY this resolution to B.B.B.


THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7








restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case

Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if

between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from

counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the

The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.



                                                                                938-050522
Sea Spain Marti
Director of the Spanish Data Protection Agency











C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es